Elementary Threat · BSI IT-Grundschutz

G 0.44 — Unauthorised Entry into Premises

Updated on 17 April 2026 4 min Reviewed by: Cenedril Editorial

A.5.11A.5.15A.5.16A.5.17A.5.18A.6.2A.6.7A.7.1A.7.2A.7.3A.7.4A.7.5A.7.6A.7.7A.7.8A.7.9A.7.10A.7.11A.7.12A.7.13A.8.3A.8.4A.8.5A.8.14A.8.18 BSI IT-GrundschutzISO 27001ISO 27002

Over one weekend, an office building is broken into. The visible traces are minor: a forced ground-floor window, a stolen coffee cash box, a few missing office supplies. The material damage seems manageable. Only during a routine check two weeks later does it emerge that the central server was tampered with at exactly the time of the break-in. The real loot: full remote access to the corporate network.

Unauthorised entry into premises is a threat that is frequently underestimated in IT security concepts. The BSI lists it as elementary threat G 0.44. With 25 mapped ISO 27001 controls.

What’s behind it?

Unauthorised entry into premises covers every non-authorised physical access to buildings, floors, offices or technical areas. Motives range from theft of valuable hardware through industrial espionage to targeted manipulation of IT systems.

In skilled attacks, the uninterrupted time available is the decisive factor. The longer an attacker has unnoticed access, the greater the potential impact. A few minutes are enough to install a hardware keylogger, plug in a USB stick with malware or photograph confidential documents. With more time, servers can be manipulated, hard drives removed or network taps installed.

Methods of intrusion

Classic break-in — forceful opening of windows or doors, usually outside business hours. On top of the immediate theft come material damages that drive up costs.
Tailgating / piggybacking — the attacker follows an authorised employee through a secured door. In large organisations where employees do not know each other by sight, this rarely stands out.
Fake identity — the attacker poses as a tradesperson, cleaner or delivery driver. Work clothing and a clipboard are often enough to be waved through at reception.
Compromise of access systems — key cards can be cloned, PIN codes observed or biometric systems fooled with replicas.

Impact

Unauthorised entry is often only the first step in a multi-stage attack. Physical presence on site enables attacks that would be impossible remotely: access to air-gapped systems, installation of hardware implants, theft of hard drives or backup media. Even when only “minor damage” is visible, the actual compromise can remain unnoticed for weeks or months.

Practical examples

Tailgating at a large bank. A penetration tester enters the building of a large bank in business attire by slipping through the revolving door behind a group of employees. Arriving at the server room (the door was open because a technician was working there), he plugs a USB stick into a free port. Total time to full network access: 22 minutes. No one spoke to him.

Weekend break-in with targeted server manipulation. Burglars pry open a window at a mid-sized company and search the offices. The obvious loot is small. What the forensic analysis shows weeks later: a backdoor was installed on the central database server. Since then customer data has been flowing to an external address.

Fake cleaner in the data centre. A person in a cleaning-service uniform gains access to a server room. Reception does not check the badge because the regular cleaning service is expected at this time. The person photographs network diagrams on the wall, notes IP addresses of servers and leaves the building after 15 minutes.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 25 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

A.7.1 — Physical security perimeters: Definition and safeguarding of security zones with controlled access points.
A.7.2 — Physical entry: Access controls (key cards, biometrics, PIN) at all entrances to security areas.
A.7.4 — Physical security monitoring: Video surveillance, motion detectors and alarms for critical areas.
A.7.6 — Working in secure areas: Rules for working in sensitive areas (mandatory escort, no photography, visitor management).
A.7.3 — Securing offices, rooms and facilities: Physical hardening of server rooms, technical cabinets and archives.

Detection:

A.7.4 — Physical security monitoring: Alarm systems and video surveillance detect unauthorised entry in real time.
A.8.14 — Redundancy of information processing facilities: Distributed systems make manipulations recognisable when data diverges between sites.

Response:

A.5.11 — Return of assets: Control during personnel changes to ensure keys and access media are returned.
A.6.2 — Terms and conditions of employment: Clear contractual provisions on responsibility for physical access.

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.44 with the following modules:

INF.1 (General building) — baseline requirements for the physical security of buildings.
INF.2 (Data centre and server room) — protection of data centres and server rooms against physical intrusion.
INF.7 (Office workstation) — security measures at the workstation (screen lock, clean desk).
ORP.1 (Organisation) — organisational measures such as visitor management and key administration.

Sources

BSI: The State of IT Security in Germany — annual report with current incident statistics
BSI IT-Grundschutz: Elementary Threats, G 0.44 — original description of the elementary threat
ISO/IEC 27002:2022 Section 7.1 — implementation guidance on physical security perimeters

ISO 27001 Controls Covering This Threat

A.5.11 Return of assets A.5.15 Access control A.5.16 Identity management A.5.17 Authentication information A.5.18 Access rights A.6.2 Terms and conditions of employment A.6.7 Remote working A.7.1 Physical security perimeters A.7.2 Physical entry A.7.3 Securing offices, rooms and facilities A.7.4 Physical security monitoring A.7.5 Protecting against physical and environmental threats A.7.6 Working in secure areas A.7.7 Clear desk and clear screen A.7.8 Equipment siting and protection A.7.9 Security of assets off-premises A.7.10 Storage media A.7.11 Supporting utilities A.7.12 Cabling security A.7.13 Equipment maintenance A.8.3 Information access restriction A.8.4 Access to source code A.8.5 Secure authentication A.8.14 Redundancy of information processing facilities A.8.18 Use of privileged utility programs

Frequently asked questions

Why is unauthorised entry relevant for IT security?

Physical access to IT systems enables attacks that are impossible over the network: direct manipulation of hardware, installation of keyloggers, theft of hard drives or access to unencrypted consoles. Many logical security measures (firewalls, access controls) are ineffective when the attacker is standing in front of the device.

Is a locked entrance door enough as a physical security measure?

A single access barrier does not provide sufficient protection. An effective physical security concept covers multiple zones (reception, office floor, server room), each with its own access controls, supplemented by video surveillance, visitor management and alarms.

How do I handle visitors and tradespeople?

Visitors and external service providers should be registered at reception, given a visible visitor badge and accompanied in security-relevant areas. Access to server rooms and technical infrastructure should only take place after prior approval and in the presence of an escort.